From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5F035D41D46 for ; Tue, 12 Nov 2024 03:00:27 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 772756B00B4; Mon, 11 Nov 2024 22:00:26 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 6FAEC6B00B5; Mon, 11 Nov 2024 22:00:26 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 572F98D0001; Mon, 11 Nov 2024 22:00:26 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 358AA6B00B4 for ; Mon, 11 Nov 2024 22:00:26 -0500 (EST) Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id A758EC1C2C for ; Tue, 12 Nov 2024 03:00:25 +0000 (UTC) X-FDA: 82775938770.16.1E757AB Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com [209.85.210.170]) by imf22.hostedemail.com (Postfix) with ESMTP id 10F19C000E for ; Tue, 12 Nov 2024 02:59:31 +0000 (UTC) Authentication-Results: imf22.hostedemail.com; dkim=pass header.d=bytedance.com header.s=google header.b=Qcdp+5Ow; dmarc=pass (policy=quarantine) header.from=bytedance.com; spf=pass (imf22.hostedemail.com: domain of zhengqi.arch@bytedance.com designates 209.85.210.170 as permitted sender) smtp.mailfrom=zhengqi.arch@bytedance.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1731380361; a=rsa-sha256; cv=none; b=sJsrM2HGdzYmNyjLldlSGx8pHX3LlWrnobCXG7GLk3kqe6lC7RbAozNjdw6PG9IUS5DPkc b1p4dCUqmI2AciCy/BZhmcN8xDrPRiY0WQ7+gz2mgwRi1bZN0Eol8lT22JpTYc8Yeo7ZlH 356bg6JfdUi5BAlbaaPLaH/bN/oZvgk= ARC-Authentication-Results: i=1; imf22.hostedemail.com; dkim=pass header.d=bytedance.com header.s=google header.b=Qcdp+5Ow; dmarc=pass (policy=quarantine) header.from=bytedance.com; spf=pass (imf22.hostedemail.com: domain of zhengqi.arch@bytedance.com designates 209.85.210.170 as permitted sender) smtp.mailfrom=zhengqi.arch@bytedance.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1731380361; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=SQIeU+qvnYSU4ZedZcP14zpaC7KKw5Tkc9gQ0PjM+Bc=; b=1xUyn+ril+AdHvBxGBhvEZ9UyTPbXpUHCRLYcWdHAzHFevNAyamXEUQ2iCMJ/CeChBRpR7 LPmaZijrEoavB3oMpyK0XeiY2kavMeVvNUe8h//LE4QXskWvf0c7/AunQJpjr/xLAIJ74v 5TeXW5SqlYSaelEhczYuADYuQE+SF7c= Received: by mail-pf1-f170.google.com with SMTP id d2e1a72fcca58-720cb6ac25aso4720091b3a.3 for ; Mon, 11 Nov 2024 19:00:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance.com; s=google; t=1731380422; x=1731985222; darn=kvack.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=SQIeU+qvnYSU4ZedZcP14zpaC7KKw5Tkc9gQ0PjM+Bc=; b=Qcdp+5Ows3KsjKWOm4uu+I5FgOQMaA/WUeZuaLSh+GREZzwlM5lmmskrDDpEXPpROx plqIAtEPb27xmzm+MrpPUdRVN9uXi9ZecXcY5y6z3XuZ3YNdx1j+3gRqOSEHI28NSgHI crJfwZM7jlhtBmTB8TW90riAUEHCJCBb5pzQxeTKHMWRB0orpCfCSQcHamBBbsXyVNJo MxbrDBlVHnokHtxssdreuyKyLhvc3o6tbj+B5nK4qyfABDP0OPS/k0R/kpBp/8wFRCfg fScyHcICyigHRIk9ZrBBEU/r3C5dQF6/0zzuI88Qm+h2DwQDyezN7pX5vo1pJgXQuLM3 3qhA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731380422; x=1731985222; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=SQIeU+qvnYSU4ZedZcP14zpaC7KKw5Tkc9gQ0PjM+Bc=; b=vC7+HMDEo1ntuRn2k1cRMFwuH8f0UYoYXtsgjRMNlN0PT6ZbQhSZBAx2t9/pXCQt8d RjaEFympUjDuNRN35np0O9wbNP01taKvZwv7U47O3lvdJpHmSUIdPkFErBsubgVmxNgQ OuHmLd4lgeg+zLyfpmI1G4FKFcOCAHdID1/88qLiUki160kivnuD57WK1SPKaAASGlyE KqTHDwyyjTpY8NaPyotQ6lSnNGjt/uBqCsafCbm4DcuBxjodk783Y2XBs1fD6xTEuHgX wFrZ+qsH++0xSg0A584nQercSMzLQb+bzcDSQO6+eE2BCu8rCGramb0Ns97Tu3quoHwe XRAw== X-Forwarded-Encrypted: i=1; AJvYcCWDIekXA/XYSaJsuOC+YrZSc+6s6ioi0W1ooHspv1OFEkssgVTkFfnvJ1VhGGzXQs6wbhKdlaRscA==@kvack.org X-Gm-Message-State: AOJu0YxFOdL/9MUN5rUz8aSa+Tp49Re8aDSrtHfZHltU65zC8F7JSrYX GPjNG1ILNPkxXv7+jFqmng4SxUIieniMRAiyiLteAX/J6FA05hPNzmdYN/5zuE8= X-Google-Smtp-Source: AGHT+IECmebCe0C3eC5A89IqXoc7u6j1btXfcCdhzi51PjOOnZyDiBoBbSOx7e5oxo+FNUP7RqUJeA== X-Received: by 2002:a05:6a00:114f:b0:71e:768b:700a with SMTP id d2e1a72fcca58-72413368f1dmr21094787b3a.23.1731380421646; Mon, 11 Nov 2024 19:00:21 -0800 (PST) Received: from [10.84.149.95] ([63.216.146.178]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72407a571ccsm9841488b3a.196.2024.11.11.19.00.17 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 11 Nov 2024 19:00:21 -0800 (PST) Message-ID: <9d1a9d6c-5c3d-401f-8646-828bb9c282cd@bytedance.com> Date: Tue, 12 Nov 2024 11:00:14 +0800 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] mm/mremap: Fix address wraparound in move_page_tables() Content-Language: en-US To: Jann Horn Cc: Andrew Morton , "Joel Fernandes (Google)" , Lorenzo Stoakes , "Liam R. Howlett" , Vlastimil Babka , linux-mm@kvack.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org References: <20241111-fix-mremap-32bit-wrap-v1-1-61d6be73b722@google.com> From: Qi Zheng In-Reply-To: <20241111-fix-mremap-32bit-wrap-v1-1-61d6be73b722@google.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspam-User: X-Rspamd-Queue-Id: 10F19C000E X-Rspamd-Server: rspam11 X-Stat-Signature: xxwywy33kz11k3gnqfbdkratrb7xogtz X-HE-Tag: 1731380371-376482 X-HE-Meta: U2FsdGVkX1/iWcH0TeWwWhBa5Z7+nTbRjC+qJ79XvVOIvbPLGzGV59Z02ANIjnABbnFJwH1SPGJWzLCHT/K4vq5/5caDwfC83rvd8WZ67hDBCh6o64gr4BqwKQxNp750q7DtmO9lhsDRWSZFpuoLoFXptIkXw0Jjtyb7+6kNiu4M2dpCNjtwmHY3Mz59quN3JLTH5QaC/OIWGESYUU12QaIEtJXLAAq9M0juuW+FMwDpGy61aNk4FBgfaRP8/QecHcGslCRWLHH0S9lT9P+3JUBnBKSUYLZkApKuxxS5ROcb7/idqhCRvPflhWt2eFgVT+aWO15oE66nYFli97mtOY1el0LGrFRqX/KE5dvsew44ags33Y57fVbvixSOPN1mMhIQB9nZTRVAxbhDVUW9FgSj7zVHSQDpL0pdDpzaaOx5pMUHLsUgChpiMUj8kBORmRiU8OK4Jmk8cMoKUk5vtWzc36fawyUS1mx+4Hoje/FoXVpIKclYJKf1Cp17kP4P7AtXYzp8hHDKCOXiCXj2+cmwI0z1VjWeKAzVK9Moq0Qz9F2QtokoId0aXVkL8deR0hi1br0rqsqL7Vd9AEc0ZSb5sAs7WefSFP4e9a2kpnsCo/R2OJ9WaYWg/KiF/ifw6pjxOVojqoVIkjpRoGvqpCr/syV0rqZP/KIehkFXCZGAeqkulaM+GGpL4FuJwkCZD+ESZ7e7Ipix5h6k7UWKFm2OiEaf3ozkhgyB+cdjUQgyn8dOe27+k5xDxIqMXUnJ8bjdTtqyZQfTzy+v6QBqtKx1+S9XLSDXR6xeEGZk+ep1SP6Dn7I8vKg2F1DUCk2Q2dnGrWHlYn9OgyR+2dOYDh6SzHbsyoNR9ZHTdthWjcjrWhFHg22llUrU+2HJVD1EQZbYWSNFEm1YMOWH/ZR9A/iSZRCyZjNgAfG0lVwbazTGcyYEQMbEamBKviJ/EGAbtL0uNY+avRO24r2K+ea HSIs0GuW rnV+Gpx7ScaqWpa06LLemXzMirNl6ObKQHtc06WogOjzTaDWd5+3Ic+EpdrlP4CFjoG6w+sal0/cl4ZIHXIY5nfPxjKo21vgEWXdVXElZu2IuCHxIfvPCpOGazXsh8h/Cw3sbPlY2ZkvmPhg5I9Gv2D+5K93o3DmjDL+yjQ1yEWxNxKHh0eM65VxpC8i3m1wPkG7VpYCVzzdcaaqqsPL+A/VgU9728U4/5z0hQTUdDPyW6GT/nOf43Tgo7mrGZgDsPDdrc7YC4m6ZoVhLyMxplkyYQl4YQ3UgLtQp2aJZyC1U4HEdVSWcUan8QU0+hJeFWc4rYx8NELpvo34mQX2MVe8cO9zyaUNq/c4kJlKDHpbaMMYCclpOBuqumOr65KKX9/5/RpYdiiPaBdPGFLwjdw/ptaS4gohNSzu7zff8tEmbpZZq+jMQg1Wpxzc46v1wWCg9+cS00CRGB3Q= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 2024/11/12 03:34, Jann Horn wrote: > On 32-bit platforms, it is possible for the expression > `len + old_addr < old_end` to be false-positive if `len + old_addr` wraps > around. `old_addr` is the cursor in the old range up to which page table > entries have been moved; so if the operation succeeded, `old_addr` is the > *end* of the old region, and adding `len` to it can wrap. > > The overflow causes mremap() to mistakenly believe that PTEs have been > copied; the consequence is that mremap() bails out, but doesn't move the > PTEs back before the new VMA is unmapped, causing anonymous pages in the > region to be lost. So basically if userspace tries to mremap() a > private-anon region and hits this bug, mremap() will return an error and > the private-anon region's contents appear to have been zeroed. > > The idea of this check is that `old_end - len` is the original start > address, and writing the check that way also makes it easier to read; so > fix the check by rearranging the comparison accordingly. > > (An alternate fix would be to refactor this function by introducing an > "orig_old_start" variable or such.) > > Cc: stable@vger.kernel.org > Fixes: af8ca1c14906 ("mm/mremap: optimize the start addresses in move_page_tables()") > Signed-off-by: Jann Horn Acked-by: Qi Zheng Thanks!